Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Bad Web Practice (from Apple!) 5 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • The form submission is secure (see the ACTION attribute in the FORM tag). So the information is sent encrypted.

    The user doesn't get the reassuring lock icon on the form page, but that's arguably a misfeature in browsers. The important thing isn't whether the form is encrypted but whether the submission is encrypted, and there's no icon for that. You just get a warning if you have an insecure submission from a secure form, but I think a lot of people ignore those warnings.
    • I didn't notice that (and I'm sure the less web-saavy folks didn't either). The more paranoid among us would not have been reassured.

      Does the Web browser encrypt the information on the client side if the initial form isn't SSL'd? Meaning, couldn't it just send the form submission to the SSL server without getting the server's key to encode it? Does that make sense?
      • We're talking about two different HTTP requests that have nothing to do with each other (they could even be to completely separate servers). The first is the request to get the form, which the browser displays. Since the (empty) form doesn't contain any of your personal information, it doesn't matter whether that transaction is secure.

        The second happens when you submit the form and send the data to the server, which responds with the confirmation page. That's the transaction that needs to be secure.

        In mos
        • So here's where I'm clueless: when the browser posts the form (from a non-SSL server) to the SSL server, will it fetch the SSL server's certificate, verify it and encode the form data before posting the data itself?

          Just putting that in the ACTION tag and unprotecting the initial form doesn't "gel" with my understanding of how the transaction works.

          I guess I could put a sniffer between me and the Apple form and see.

          Thanks!
          • Yes. Think about it. The request that gets the form has nothing to do with the request that posts the data. The form could be on a completely different server from the form-data-processing script used in the action. Hell, the form could be just a file on your local computer with no web server involved, or there might not even be a form -- you could just be posting the data directly using LWP or something else.
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.